Restore Process

From The iPhone Wiki
Jump to: navigation, search

1.1.4 > 2.0 Restore

This restore was performed, logged and dumped by scotty2. It was originally in a manifesto made while cracking the img3 format, so it may be typed up a little oddly

The Process

  1. iTunes maps iBEC (WTF.m68ap.RELEASE.dfu) at 0x90000000.
  2. iBoot decrypts it, as it is an Img2 file, then runs it.
  3. iBEC does a check to see if it is mapped at 0x18000000, and if it is not, it remaps itself there.
  4. Sometime at the beginning of the iBEC's routine, it gives the iPhone whatever it needs to decrypt Img3 files, as you will obviously guess by reading the rest of these
  5. iTunes sends iBEC the kernelcache and the ramdisk. Both in Img3 format.
  6. iBEC decrypts ramdisk and kernelcache then boots kernelcache.
  7. The ramdisk/kernel then copy the rootfs over, then flash the new devicetree, iBEC, iBSS, and iBoot.
  8. After the rootfs and the img3 files, it will flash over the baseband and friends.